3 Introduction Governments and commercial organizations are being challenged to implement cost-effective security solutions that meet the operational needs of their end-users while complying with regulatory requirements. This takes place not only within the context of their internal networks but increasingly in a broader network of networks, enabling secure collaboration across departments and agencies. Only the highest levels of trust can make this possible; and only solutions and services built on advanced standards-based products can deliver this trust. With an ecosystem that continually evolving the demands of the security infrastructure of any organization is being stretched and with the Internet of Things being a huge growth area governments and commercial organizations must be able to deploy a toolset capable of meeting such requirements today and be looking at vendors to grow products that have a roadmap that is tracking these requirements to provide good solid support in the furture. Organizations should look for a solution architected specifically to address such challenges. The solution should be designed to provide interoperability in a large network of networks in which security decisions are enabled across the entire environment. For instance, an authentication decision to access a specific network, application or file should be based on a global policy framework that is inherent in the client applications and enabled on a per application and a per user basis. The solution should make use of advanced certificate lifecycle management capabilities present in its client solutions, as well as toolkits to ensure proper and cost-effective management of keys and certificates are done simply and transparently. This assures end-to-end trust in cross certified or bridged public key infrastructure (PKI) environments. Advanced key and certificate management enables the use of digital credentials even in the most demanding of security environments. Such solutions enable users, regardless of whether they are internal or external to their network, to benefit from both basic and enhanced capabilities in a consistent and secure manner. This document was created to assist organizations in the selection of the best PKI solution to meet their business and security needs. It outlines key questions to be considered during the selection process to ensure the aforementioned requirements are addressed. This is not intended to be an exhaustive list. It is meant as a starting place to assist you in your review process. 3

4 Key Considerations When Selecting a PKI Solution Note: This is not intended to be an exhaustive list. It is meant as a starting place to assist you in your requirements gathering process. 1 Certification Authority (CA) 1.1 Setup and Administration Does the CA support a hardware solution for storage and use of the CA signing private key? What level of FIPS 140-x validation does this hardware device support? Does the solution support users with a single key pair, dual key pairs and multiple key pairs? Does the solution allow for multiple authentication techniques for a single individual (e.g., smartcards, biometrics, passwords only)? Does the solution s client software support the use of smartcards or biometric devices for authentication? List supported devices Can access to the certification authority administrative functions be customized using an API? Describe the API What user and device enrollment options are included? Are there self-enrollment and self recovery options? Does the solution allow the client to define custom certificate types on the fly such as specialized device certificates, code-signing certificates, etc.? Does the solution support CA key rollover? If so, how is this done? To what extent is this process automated? What is the impact on end-users? Does the solution offer the ability to support CA key rollover and the ability to place use of the new CA key on hold whilst the new CA certificate is distributed to all end points before marking the new key as active? Does the vendor offer a choice between an in-house PKI and a hosted service provided by the vendor? If so, does the vendor provide the flexibility to switch between the in-house and hosted solutions, should business requirements change? 4

5 KEY CONSIDERATIONS WHEN SELECTING A PKI SOLUTION: CERTIFICATION AUTHORITY (CA) 1.2 Password Management Does the solution provide centrally configurable password rules that can be applied consistently across applications? Describe Does the solution transmit any passwords in-the-clear over a network or store passwords in-the-clear at any time? Describe the general methodology for avoiding transmission of passwords and residual passwords in memory. 1.3 Key Update and Certificate Update Describe how key pairs are updated. Does the solution provide automatic and transparent updates of both keys and certificates for users before key expiry? Does the solution provide transparent maintenance of encryption and verification key history, allowing users to transparently decrypt or verify archived data encrypted or signed under old keys? Please explain the steps a user would follow to decrypt an encrypted using a previous encryption key Is the certificate management applied consistently across all certificate and key pairs regardless of where they are stored (in hardware or in software)? 1.4 Key Backup/Recovery Does the solution provide integrated, transparent key backup and recovery? If so, is there an extra cost to provide this functionality? How does the solution ensure data can be decrypted after one or multiple key rollovers? How are the keys and certificates managed within the key store? Are separate key and certificate pairs managed within a key store or as a single identity? Can all of a user s archived keys (i.e., the user s entire key history) be recovered in a single step or are users and administrators required to perform additional manual operations for each recovered key pair? How does a user recover keys if they become lost or corrupted? Describe the process Can keys be recovered by a user alone or is administrative assistance required? 5

6 KEY CONSIDERATIONS WHEN SELECTING A PKI SOLUTION: CERTIFICATION AUTHORITY (CA) 1.5 Cross-Certification Does the solution support both peer-to-peer and hierarchical cross-certification? Can digital signatures be fully verified across departments or between organizations in a bridged-pki environment? If so, how is this accomplished? Is the method used standards based? Can specific limits on trust relationships between CAs be imposed and automatically enforced for the user? For example, if cross-certifying with another organization, can users establish a trust relationship with pre-determined departments only? Can the CA root of a hierarchical trust model be taken offline to increase security without affecting the non-root hierarchical CA s ability to operate? 1.6 Administration and Enrollment Does the solution deliver comprehensive administrative control of security policy settings and desktop enforcement of those settings? Does the solution support multiple remote registration authorities to securely execute administrative functions on the PKI system simultaneously? Can multiple authorizations be required to apply a higher level of security when performing sensitive administrative functions? Can enrollment and administration requests be queued for single or multiple Administrator approval? Does the solution offer broad support for all standards based enrollment protocols such as: Simple Certificate Enrollment Protocol (SCEP) PKCS#10 Enrollment Over Secure Transport (EST) Certificate Management Protocol version 2 (CMPv2) Mobile Device Management Web Service (MDM-WS) 6

7 KEY CONSIDERATIONS WHEN SELECTING A PKI SOLUTION: CERTIFICATION AUTHORITY (CA) 1.7 Reporting Describe any audit trail and reporting capability provided by the solution. Include a discussion of security protection for these audit logs Can a report be generated that describes all administrative operations performed? Does the solution support automatic notification of events and alarms? Describe how this is achieved. Is SNMP supported? Does the vendor provide data integrity of audit logs? 1.8 Standards and Cryptographic Algorithms Does the vendor use and promote the use of open standards? If so, list the supported standards List the data encryption algorithms and key lengths supported by your product Has the vendor s solution received third-party validation? If so, list the relevant ones. 1.9 Scalability How many users per CA does the solution support? Does the solution support communication with multiple LDAP servers (for load balancing, redundancy and scalability)? Describe the directory support provided. List the X.500 or LDAP directories that have successfully been implemented with the solution. List the leading commercial directories that are supported by the product Describe your deployment experience with the product. Provide three examples of large deployments for companies similar in size and scope. 7

8 KEY CONSIDERATIONS WHEN SELECTING A PKI SOLUTION: CERTIFICATION AUTHORITY (CA) 1.10 Certificates Does the solution support X.509v3 certificates? Can the solution manage both user and non-user credentials, such as device certificates? Are these certificates managed in the same way as user credentials? Does the solution support multiple certificate types from a single infrastructure? (e.g., VPN device certificates, SSL server certificates, end-user S/MIME certificates, etc.) Does the vendor allow flexibility in certificates to support certificate extensions? Can certificate extensions be set on a per-user basis? Does the solution require proprietary (non-standards based) certificate extension(s) for its operations? If so, what are these extensions and can they be removed? Does the solution support a single set of public key credentials for each user to be used across all applications in the organization that require security (e.g., file/folder encryption, desktop authentication, secure , remote access, Web browsing, e-forms, etc.)? Are multiple key pairs protected with a single strong password with support for single login? Does the vendor provide automated certificate verification and certificate look-up? Does the solution have the ability to automatically issue a certificate revocation list after a certificate is revoked? Does the solution allow users to perform offline revocation checking of certificates? 8

9 KEY CONSIDERATIONS WHEN SELECTING A PKI SOLUTION: CLIENT SOFTWARE 2 Client Software 2.1 Security Does the solution ensure consistent security policies and one common security mechanism across multiple applications and multiple platforms? Are the solution s configuration and user policies centrally managed? If so, how are they propagated? (This is important to ensure consistency and auditability of the security controls across the customer s organization.) Can changes in policy regarding crypto algorithms be performed centrally, automatically and transparently to end-users? Does the solution support single login to all applications integrated with the PKI, including back-end and desktop applications? Does the solution provide a secure means of protecting the private keys on the client workstation? Describe the methods that are used to protect the private keys Are the solution s security mechanisms transparent to the end-user? Does the product allow users to perform encryption and revocation checking of certificates while offline? Does the offering provide a complete end-to-end secure desktop solution? What operating systems does the solution support? Does the vendor offer enhanced security management to automate all aspects of the lifecycle of a digital ID? If automatic renewal of certificate and key pairs is supported, how do applications make use of these new keys? Does the solution integrate with a Virtual Private Network (VPN) solution? Is it available on multiple remote access clients? List the VPN clients supported. 9

11 KEY CONSIDERATIONS WHEN SELECTING A PKI SOLUTION: END-USERS 3 End-Users 3.1 Usability Are the applications supported with a single, managed digital ID or are users required to manage multiple identities for each application? Does the solution support roaming to multiple workstations? If so, for which applications, and is it with or without smart cards? Does the solution support roaming functionality? Can users share common workstations without having to carry an ID? Does the vendor permit users to easily change between locally stored digital IDs, roaming access and smart card-based digital IDs? Does the vendor have an enterprise solution at the client level that does not require software? Describe the process that users follow to receive their certificates for the first time How long does it take to issue a certificate to an end-user? Will the enrollment process be the same in a distributed environment? Describe the process that users follow to renew their certificates Describe the process that users follow to recover their certificates Are certificate licenses reusable (i.e., when an individual leaves the organization and that individual s certificate is revoked, can the licenses be reused for a new user)? What happens during the recovery or update of a smart card credential if the smart card is full? Does the solution offer the ability to provide card management for PIV Cards? Can the solution offer certificate enrollment and lifecycle management for keys and certificates managed in a Trusted Platform Module (TMP)? 11

12 KEY CONSIDERATIONS WHEN SELECTING A PKI SOLUTION: PKI AS A HOSTED SERVICE 4 PKI as a Hosted Service 4.1 Services Available What types of hosting arrangements are available to customers? For instance, does the vendor provide the flexibility to switch between the in-house and hosted solutions should business requirements change? Are professional services available to assist customers with implementation? What client software and capabilities are included (secure file protection, secure , others)? What training and/or documentation is available as part of the service? Is additional training or documentation available? Is a test environment available for customers? Are certificates available for Web servers, VPN devices and users without clientside software? What support is provided for OCSP? Is it integrated into the solution or a separate/ additional product? What optional services are available? 4.2 Security Describe the physical security arrangements of the hosting facility Describe the disaster recovery facilities provided. 4.3 Pricing What are the components of the pricing structure? What is included in each component? 12

13 KEY CONSIDERATIONS WHEN SELECTING A PKI SOLUTION: PKI AS A HOSTED SERVICE 4.4 Setup How much control can/will the customer have over certificate contents? Will the directory be supplied by the customer or the hosting service? Can certificates be authenticated to a public root? 4.5 Operational Issues What are the support terms and conditions? How is recovery data, such as authorization credentials, protected? How are the CA keys protected? Is there a limit on the number of certificates my organization can use? How quickly can new certificate types be available? 13

14 KEY CONSIDERATIONS WHEN SELECTING A PKI SOLUTION: VENDOR 5 Vendor 3.1 Corporate Information briefly describe the following Corporate profile Number of employees Corporate headquarters and other office locations Financials (copy of 10k report or annual report) List any product awards won in the last five years. List any relevant experience and customer deployments. Are these customers referencable? Describe your corporate quality and security assurance process. 5.2 Technical Support Describe your technical support options, policies and procedures. 5.3 Documentation and Training Describe your method of providing documentation and training for your products. 5.4 Strategic Partnerships Describe the strategic relationships or vendor alliances you have for the delivery of digital signatures, authentication and encryption products and services. 5.5 Services Does your company provide professional services capabilities on a global basis? Does your company have a dedicated solution design and deployment team to enable customer input to product enhancements? 14

15 About Entrust Datacard Consumers, citizens and employees increasingly expect anywhere-anytime experiences whether they are making purchases, crossing borders, accessing e-gov services or logging onto corporate networks. Entrust Datacard offers the trusted identity and secure transaction technologies that make those experiences reliable and secure. Solutions range from the physical world of financial cards, passports and ID cards to the digital realm of authentication, certificates and secure communications. With more than 2,000 Entrust Datacard colleagues around the world, and a network of strong global partners, the company serves customers in 150 countries worldwide. For more information about Entrust products and services, call , or visit Company Facts Website: entrust.com Employees: 359 Customers: 5,000 Offices: 10 globally Headquarters Three Lincoln Centre 5430 LBJ Freeway, Suite 1250 Dallas, TX USA Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries. In Canada, Entrust is a registered trademark of Entrust Limited. All other Entrust product names and service names are trademarks or registered trademarks of Entrust, Inc. or Entrust Limited in certain countries. Entrust Datacard and the hexagon logo are trademarks of Entrust Datacard Corporation Entrust. All rights reserved

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates September 2006 Copyright 2006 Entrust. All rights reserved. www.entrust.com Entrust is a registered trademark

An Introduction to Entrust PKI Last updated: September 14, 2004 2004 Entrust. All rights reserved. Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries. In

Overview November, 2006 Copyright 2006 Entrust. Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries. All other Entrust product names and service names are

Deriving a Trusted Mobile Identity from an Existing Credential Exploring and applying real-world use cases for mobile derived credentials +1-888-690-2424 entrust.com Table of contents Approval of the mobile

and how you can get it for less November 2009 Documentation issue: 2.0 Copyright 2009 Entrust. All rights reserved. Entrust is a registered trademark of Entrust, Inc. in the United States and certain other

RSA Digital Certificate Solution Create and strengthen layered security Trust is a vital component of modern computing, whether it is between users, devices or applications in today s organizations, strong

WHITE PAPER ENTRUST ENTELLIGENCE SECURITY PROVIDER 7.0 FOR WINDOWS PRODUCT OVERVIEW Entrust 2003. All rights reserved. Entrust is a registered trademark of Entrust, Inc. in the United States and certain

Deploying and Managing a Public Key Infrastructure 2821: Deploying and Managing a Public Key Infrastructure (4 Days) About this Course This four-day, instructor-led course provides students with the knowledge

SIX STEPS TO SSL CERTIFICATE LIFECYCLE MANAGEMENT Why you need an SSL certificate management solution and how to get started +1-888-690-2424 entrust.com Table of contents Introduction Page 3 Consequences

white paper The Benefits of an Industry Standard Platform for Enterprise Sign-On The need for scalable solutions to the growing concerns about enterprise security and regulatory compliance can be addressed

A Total Cost of Ownership analysis July 2009 Copyright 2009 Entrust. All rights reserved. Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries. Entrust is

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Purpose This paper is intended to describe the benefits of smart card implementation and it combination with Public

RSA SecurID Two-factor Authentication Today, we live in an era where data is the lifeblood of a company. Now, security risks are more pressing as attackers have broadened their targets beyond financial

Technical Certificates Overview Version 8.2 Mobile Service Manager Legal Notice This document, as well as all accompanying documents for this product, is published by Good Technology Corporation ( Good

White Paper Key Management Best Practices Data encryption is a fundamental component of strategies to address security threats and satisfy regulatory mandates. While encryption is not in itself difficult

Configure SecureZIP for Windows for Entrust Entelligence Security Provider 7.x for Windows SecureZIP for Windows interoperates with leading PKI vendors including Entrust, VeriSign, and RSA to enable the

The Convergence of IT Security and Physical Access Control Using a Single Credential to Secure Access to IT and Physical Resources Executive Summary Organizations are increasingly adopting a model in which

Information Paper Understand the total cost of your PKI How much do you pay for your PKI? A closer look into the real costs associated with building and running your own Public Key Infrastructure and 3SKey.

Internet Banking Internal Control Questionnaire Completed by: Date Completed: 1. Has the institution developed and implemented a sound system of internal controls over Internet banking technology and systems?

Security Policy Revision Date: 23 April 2009 Remote Desktop Support Version 3.2.1 or later for Windows Version 3.1.2 or later for Linux and Mac 4 ISL Light Security Policy This section describes the procedure

Electronic Prescribing of Controlled Substances: Establishing a Secure, Auditable Chain of Trust Imprivata Confirm ID and the DEA Interim Final Rule on EPCS Technology requirements to comply with the DEA

Title INDEPENDENT AUDIT REPORT BASED ON THE REQUIREMENTS OF ETSI TS 101 456 Customer Aristotle University of Thessaloniki PKI (www.pki.auth.gr) To WHOM IT MAY CONCERN Date 18 March 2011 Independent Audit

FREQUENTLY ASKED QUESTIONS: SECURING THE FUTURE OF TRUST ON THE INTERNET Frequently Asked Questions Frequently Asked Questions: Securing the Future of Trust on the Internet Securing the Future of Trust

DIGIPASS CertiID Getting Started 3.1.0 Disclaimer Disclaimer of Warranties and Limitations of Liabilities The Product is provided on an 'as is' basis, without any other warranties, or conditions, express

White paper inforouter in the Life Sciences Industry: 21 CFR Part 11 Compliance Overview of 21 CFR Part 11 The final version of the 21 CFR Part 11 regulation released by the FDA in 1997 provides a framework

Six Steps to SSL Certificate Lifecycle Management Why you need an SSL certificate management solution and how to get started +1-888-690-2424 entrust.com Table of contents Introduction Page 3 Consequences

Purpose and Scope The purpose of this policy is to define the roles and responsibilities on implementing the Homeland Security Presidential Directive 12 (HSPD-12) Logical Access Control (LAC) throughout

WHITE PAPER: MANAGED PUBLIC KEY INFRASTRUCTURE........................................ Managed Public Key Infrastructure Who should read this paper To operate business-critical applications over the Internet,